Requirement text: RE.2.137: Regularly perform and test data backups.
DISCUSSION FROM SOURCE: CMMC
Backups are used to recover data in the event of a hardware or software failure. Backups
should be performed regularly based on an organizational defined frequency. They should
be tested regularly to ensure they are performing as expected.
CMMC CLARIFICATION
Back up your organizational data so you can recover it if a hardware failure, software failure,
or malware infection occurs. You can schedule backups to run automatically or manually.
Many operating systems include a built-in feature to perform data backups.
After you create a backup, it is important to test it on a regular basis. When you test a backup,
verify that the operating system, applications, and data are intact and functional. If you test
data backups regularly, you will be in a better position to recover systems and files more
efficiently if a failure or infection occurs.
Example
You are responsible for IT in your organization. One of your jobs is to make sure you can
restore data if a serious event happens, such as a disaster, a hard drive failure, or a software
problem. You have a backup procedure in place where you back up all your data weekly on
a backup server. You set this up to occur automatically each weekend because it takes a lot
of resources to perform a backup. You verify your backups every month. This ensures that
your data is correct. It also confirms that you can use the data if you need to recover your
systems.
References
• CIS Controls v7.1 10.1, 10.3
• NIST CSF v1.1 PR.IP-4
• CERT RMM v1.2 KIM:SG6.SP1
• NIST 800-53 Rev 4 CP-9
• AU ACSC Essential Eight